24、OpenSSL生成CA证书及终端用户证书

1、准备ca.conf配置文件​​​​​​​

内容如下

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = CA Test

2、生成ca.key

penssl genrsa -out ca.key 4096

3、生成ca证书签发请求ca.csr

openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf

4、生成ca.crt证书

openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

5、准备终端配置文件

server.conf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = www.crttest2022.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.crttest2022.com
DNS.2   = www.crttest2022.com
IP      = 192.168.1.245

6、生成服务端密钥server.key

openssl genrsa -out server.key 2048

7、生成服务端证书签发请求，server.csr

openssl req -new -sha256 -out server.csr -key server.key -config server.conf

8、生成服务端证书，server.crt

openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial 
-in server.csr -out server.crt -extensions req_ext -extfile server.conf

9、修改hosts

127.0.0.1 www.crttest2022.com

10、配置nginx.conf

将server.crt和server.key放到nginx.conf同级目录

server {
    listen 80;
    server_name www.crttest2022.com;
    #将请求转成https
    rewrite ^(.*)$ https://$host$1 permanent;
}
    server {
        listen  443 ssl;
        server_name  www.crttest2022.com;
        ssl_certificate      server.crt;
        ssl_certificate_key  server.key;
		root C://dist;
		index index.html index.htm;
      location ^~ /api/{
            proxy_pass http://127.0.0.1:7001;
            proxy_send_timeout 1800;
            proxy_read_timeout 1800;
            proxy_connect_timeout 1800;
            client_max_body_size 2048m;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header  Host              $http_host;   
            proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto $scheme;
        }
        location ^~ /auth/{
            proxy_pass http://127.0.0.1:7001;
            proxy_send_timeout 1800;
            proxy_read_timeout 1800;
            proxy_connect_timeout 1800;
            client_max_body_size 2048m;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header  Host              $http_host;   
            proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto $scheme;
        }
    }

11、访问www.crttest2022.com，展示了不安全的连接

12、安装ca.crt，添加到受信任的颁发机构

13、edge访问

14、chrome访问